log of registry restore

[Shoval Tomer]

Is there a way to know if a registry restore / repair has occured?

The registry is not corrupt on our windows 2000 advanced server (with
sp4) but several keys are missing under HKLM/Software/some application

Is there a chance that a registry repair or restore occured? maybe
during a recent restart of the machine?

if so, how can I tell? is there an event i'd search for in the event
log? or a textual log file?

do you have any other idea why this should happen?

TIA

 

[David Adner]

There is not, by default, any auditing or logging of Registry changes.
You can enable auditing (view the Permissions via reged32.exe), but it
has to be configured as nothing in the Registry (I don't believe) is
audited by default.

If your system is missing some Registry keys my guess would be either a
user did it (either intentionally or unknowingly via a setup routine,
utility, etc) or an app did it. Corruption is a possibility, but I
would tend to think you would see more random issues. The Registry
hives are single files, so I wouldn't think corruption would cleanly
remove certain keys; it'd be more likely to just blow out random chunks
or prevent loading of the hive entirely.

 

[David Adner]

There is not, by default, any auditing or logging of Registry changes.
You can enable auditing (view the Permissions via reged32.exe), but it
has to be configured as nothing in the Registry (I don't believe) is
audited by default.

If your system is missing some Registry keys my guess would be either a
user did it (either intentionally or unknowingly via a setup routine,
utility, etc) or an app did it. Corruption is a possibility, but I
would tend to think you would see more random issues. The Registry
hives are single files, so I wouldn't think corruption would cleanly
remove certain keys; it'd be more likely to just blow out random chunks
or prevent loading of the hive entirely.